hi,
i just want to write a little tool that executes some extra processes when a specific program is executed. simply said: i want to autodetect if the user executes a specific program. the problem is that i don't even know where to begin. must i hook windows functions? if yes, which ones? or are there special apis available?
the only solution so far i know is to constantly check with findwindow if the process is spawned yet. but i think this would be very time consuming...
thanks for help
i just want to write a little tool that executes some extra processes when a specific program is executed. simply said: i want to autodetect if the user executes a specific program. the problem is that i don't even know where to begin. must i hook windows functions? if yes, which ones? or are there special apis available?
the only solution so far i know is to constantly check with findwindow if the process is spawned yet. but i think this would be very time consuming...
thanks for help
What's time consuming about it?
Create a Timer Using SetTimer and set the delay on 60 seconds. And on every WM_TIMER message, check if the app was spawned. Easy.
Create a Timer Using SetTimer and set the delay on 60 seconds. And on every WM_TIMER message, check if the app was spawned. Easy.
Hello,
try with custom dll that will be loaded to every win32 application that uses the user32.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs=path to your dll
hehe, already tried this trick with messagebox, and only DLL_THREAD_ATTACH is working, so every thread is created - your DllMain is called
http://support.microsoft.com/kb/q197571/#kb2
try with custom dll that will be loaded to every win32 application that uses the user32.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs=path to your dll
hehe, already tried this trick with messagebox, and only DLL_THREAD_ATTACH is working, so every thread is created - your DllMain is called
http://support.microsoft.com/kb/q197571/#kb2
Hi,
You may want to use the "Image File Execution Options" debugging option of the NT family (not working on 9x AFAIK).
This allows you to launch a specific "debugger" program instead of a specific "target" program. The target's name is passed to the debugger as a command line argument so you can launch the target using CreateProcess with DEBUG_PROCESS flag (to avoid recursion).
See http://blogs.msdn.com/greggm/archive/2005/02/21/377663.aspx for more details (particularly the "How does this actually work" section).
Hope this helps...
i just want to write a little tool that executes some extra processes when a specific program is executed. simply said: i want to autodetect if the user executes a specific program.
You may want to use the "Image File Execution Options" debugging option of the NT family (not working on 9x AFAIK).
This allows you to launch a specific "debugger" program instead of a specific "target" program. The target's name is passed to the debugger as a command line argument so you can launch the target using CreateProcess with DEBUG_PROCESS flag (to avoid recursion).
See http://blogs.msdn.com/greggm/archive/2005/02/21/377663.aspx for more details (particularly the "How does this actually work" section).
Hope this helps...
chep,
you can make every exe run through your exe by setting the following reg key
HKEY_CLASSES_ROOT\exefile\shell\open\command to: "C:\Logger.exe" "%1" %*
logger.exe should contain code similiar to the following
Be careful with this method though, because if you accidently delete C:\Logger.exe before removing its registry key then you won't be able to run any .exe :\ in which case you'd have to rename regedit.exe to regedit.bat, then run it and delete the key above.
you can make every exe run through your exe by setting the following reg key
HKEY_CLASSES_ROOT\exefile\shell\open\command to: "C:\Logger.exe" "%1" %*
logger.exe should contain code similiar to the following
.386
.model flat, stdcall
option casemap:none
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\shell32.inc
includelib \masm32\lib\shell32.lib
.data
szOpen byte 'open',0
.code
start:
invoke GetCommandLine
invoke ShellExecute,0,addr szOpen,eax,NULL,NULL,SW_SHOWNORMAL
invoke ExitProcess,0
end start
Be careful with this method though, because if you accidently delete C:\Logger.exe before removing its registry key then you won't be able to run any .exe :\ in which case you'd have to rename regedit.exe to regedit.bat, then run it and delete the key above.
I wouldn't recommend Webring's solution, it is very error-prone, and will probably set off any decent antiviral program. I guess you could hook NtCreateProcess/Ex from NTDLL.DLL, all execution should go through those routines, unless an application directly does the system calls...
Actually , for global dll injection(which is preferred way to hook api functions) on nt systems it's recommended that you hook NtCreateThread. Elicz wrote a nice example of this with his wonderful apihooks package. I recommend instead of trying to write your own hooking engine just use his. He seems to have a very indepth knowledge on windows internals , is precise on error handling, and his package is free. Another option is you could wait for my "willit" static lib, which its only advantage over apihooks is size, more documentation, and slight ease in use.
Oh and f0dders right about my method posted earlier, i never said it was safe, just an alternative :)
Oh and f0dders right about my method posted earlier, i never said it was safe, just an alternative :)
hi guys,
thanks a lot for so much hints!!! i'm going to tryout all the proposals made. but if there are ready packages like webring said i think i'm going to use them cause why should i reinvent the wheel? and furthermore this seems to be complicated so the app needs 2 days to develop and the apihooking needs 2 months. this isn't really effective ;)
again thanks for the help all!
thanks a lot for so much hints!!! i'm going to tryout all the proposals made. but if there are ready packages like webring said i think i'm going to use them cause why should i reinvent the wheel? and furthermore this seems to be complicated so the app needs 2 days to develop and the apihooking needs 2 months. this isn't really effective ;)
again thanks for the help all!
you can make every exe run through your exe by setting the following reg key
HKEY_CLASSES_ROOT\exefile\shell\open\command to: "C:\Logger.exe" "%1" %*
logger.exe should contain code similiar to the following
.386
.model flat, stdcall
option casemap:none
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\shell32.inc
includelib \masm32\lib\shell32.lib
.data
szOpen byte 'open',0
.code
start:
invoke GetCommandLine
invoke ShellExecute,0,addr szOpen,eax,NULL,NULL,SW_SHOWNORMAL
invoke ExitProcess,0
end start
Just wondering... won't such a code provoke an infinite recursion due to ShellExecute? Shouldn't one use CreateProcess instead?
ShellExecute is just a wrapper to CreateProcess on win9x boxes and a wrapper for CreateNtProcess on nt+ boxes. Of which I think you already knew,due to what you were saying. So calling it won't provoke an infinite recursion no, andr using CreateProcess instead would be the better choice, yes.
ShellExecute() actually does more than a CreateProcess() or WinExec() call in that it will run a file by recognising its extension and using the "shell" to load the correct exe that is associated with that file. Once this is done, it is no different to the bare CreateProcess() or WinExec() calls.
But if ShellExecute searches the registry for the file association, and exe files are associated with Loader.exe, that would cause an endless loop... just like chep pointed out. (I haven't actually tried it though).
QvasiModo, I have tryed it, and it doesn't loop
QvasiModo, I have tryed it, and it doesn't loop
Oh, alright then. :)
I wanted to do a few things with Windows Explorer so I can step up to the common users favorite firewalls and do a few things for it with-out the flash of window and throwing hints when hiding (blocking) than re-executing stuff but heck I guest it goes far deeper than the way I was trying to do. Still looking and working on ways to do it. L
Also, I wonder about Webring method because it proved to be limited to what it can really see executing. If it don?t have an .exe extension you will never be able to see it. There are other window extensions that has to be addressed here. I?m sure this is no new news to those who know. The question is how do you handle them all and the un-known too?
This is what i came up with after searching for clues a few weeks ago. I think it's all in Icz Mouse Hook with a few modifications. I hope it is related to the original question.
Maybe you can add an cmp routine to the programs you want to track just-in-case it don?t have an .exe extention. I would use Webring method first than jmp down to an idea like that just-in-case. Hope it make since, if not just move on and don?t stop. This is my 35 cents
Also, I wonder about Webring method because it proved to be limited to what it can really see executing. If it don?t have an .exe extension you will never be able to see it. There are other window extensions that has to be addressed here. I?m sure this is no new news to those who know. The question is how do you handle them all and the un-known too?
This is what i came up with after searching for clues a few weeks ago. I think it's all in Icz Mouse Hook with a few modifications. I hope it is related to the original question.
Maybe you can add an cmp routine to the programs you want to track just-in-case it don?t have an .exe extention. I would use Webring method first than jmp down to an idea like that just-in-case. Hope it make since, if not just move on and don?t stop. This is my 35 cents
; 3 8 6 heehee
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
.const
WM_SHELLHOOK equ WM_USER+6
.data
hInstance dd 0
.data?
hHook dd ?
hWnd dd ?
.code
start:
DllEntry proc hInst:HINSTANCE, reason:DWORD, reserved1:DWORD
.if reason==DLL_PROCESS_ATTACH
push hInst
pop hInstance
.endif
mov eax,TRUE
ret
DllEntry Endp
ShellProc proc nCode:DWORD,wParam:DWORD,lParam:DWORD
.if nCode<0
invoke CallNextHookEx,hHook,nCode,wParam,lParam
ret
.elseif nCode==HSHELL_WINDOWCREATED
mov eax,
invoke PostMessage,hWnd,WM_SHELLHOOK,eax,0
.endif
xor eax,eax
ret
ShellProc endp
InstallHook proc hwnd:DWORD
push hwnd
pop hWnd
invoke SetWindowsHookEx,WH_SHELL,addr ShellProc,hInstance,NULL
mov hHook,eax
ret
InstallHook endp
UninstallHook proc
invoke UnhookWindowsHookEx,hHook
ret
UninstallHook endp
End DllEntry